Full Report
The author of this post noted a weird issue on Twitter: thieves were wrecking a mans cars to eventually steal it. Why and how? They wanted direct access to the Controller Area Network (CAN) bus. The Toyota has telemetry on it which is conveniently logs all errors on the CAN bus. On the RAV4, the headlights connect to the CAN bus directly, which is why the attackers removed the headlights. The telemetry showed that the headlights had a communication failure. Not just for the lights though... many other things as well. Ian, the car owner, went on the dark web to find devices used to steal all sorts of cars. Eventually, he decided to buy one of these devices in order to reverse engineer it. This is where the author of the post comes into the situation: he's an expert on CAN buses. When most people think about stealing cars, they think about issues with the smart key or key fob, from relay attacks to replay attacks. Since these issues are getting fixed, the attackers discussed a new technique: CAN bus injection. By sending data directly on the CAN bus, we can force it to perform actions. This is possible because the CAN bus is considered a trusted environment; there is no validation on who sends it. The device is a JBL music speaker with CAN transceiver attached to it. The device gets connected to the CAN bus (commonly through the headlight) to impersonate a smart key Electronic Control Unit (ECU). In particular, it connects and sends back the "Smart Key is valid" signal to the car 20 times per second. This isn't enough though! Since the bus already has other devices on it, it disables other devices from writing to the bus with the dominant-override wire. By doing this over and over again, we can trick the car to turn on. The author dives into the anatomy of the CAN bus protocol more throughout the article. From this, we can really understand how the injector works. To fix this problem, the author suggests using cryptographic primitives to prevent random devices from jumping onto the bus. Additionally, a more brittle fix would be to program the smart key CAN frame to only be accepted if no bit errors were found on the bus recently. Overall, interesting article into the dark web and how people are actually stealing cars.
Analysis Summary
# Tool/Technique: CAN Bus Injection (Headlight Attack)
## Overview
CAN Bus Injection is a sophisticated hardware-based attack used to steal modern vehicles by bypassing the engine immobilizer. The technique involves physically accessing the vehicle's Controller Area Network (CAN) bus—often through external points like a headlight connector—and injecting fraudulent messages to impersonate a "Key is Valid" signal from the Smart Key ECU, tricking the car into unlocking and starting.
## Technical Details
- **Type**: Technique / Hardware Tool (often disguised as consumer electronics)
- **Platform**: Automotive (specifically vehicles using unencrypted CAN bus protocols; notably Toyota RAV4 and Land Cruiser)
- **Capabilities**: ECU impersonation, signal injection, dominant-override bus suppression, engine immobilizer bypass.
- **First Seen**: Publicly documented in detail circa April 2022 (Toyota RAV4 case).
## MITRE ATT&CK Mapping
*Note: MITRE ATT&CK for ICS/Mobile often applies here, as enterprise IT mappings are less direct.*
- **[TA0001 - Initial Access]**
- **[T0818 - Remote System Discovery]** (via Telematics)
- **Hardware Access**: Physical tampering with vehicle exterior (Headlight/Bumper) to access communication wires.
- **[TA0003 - Persistence / TA0005 - Evasion]**
- **[T0849 - Masquerade]**: Impersonating the Smart Key ECU.
- **[TA0002 - Execution]**
- **[T0827 - Loss of Control]**: Sending unauthorized "Start" and "Unlock" commands.
## Functionality
### Core Capabilities
- **CAN Transceiver Access**: The tool uses a CAN transceiver to interface with the vehicle's internal communication network.
- **Message Injection**: It floods the CAN bus with high-priority messages (e.g., "Smart Key is Valid") at a rate of approximately 20 times per second.
- **Trust Exploitation**: Exploits the lack of authentication/validation in standard CAN bus protocols, where any device on the bus is considered a "trusted" source.
### Advanced Features
- **Stealth Packaging**: Tools are frequently disguised as innocuous consumer devices, such as JBL Bluetooth speakers, to avoid detection by law enforcement if the thief is stopped.
- **Dominant-Override Wire**: The device uses a specific wire to prevent the legitimate ECU from writing to the bus, effectively "silencing" the real security systems to ensure the injected fraudulent signal is the only one "heard" by the car's gateway.
- **Gateway Bypass**: By connecting to the "Control" CAN bus (via the headlight), the device can communicate across gateways to the Powertrain CAN bus.
## Indicators of Compromise
- **File Hashes**: N/A (Firmware is typically locked on the custom hardware device).
- **Physical Indicators**:
- Dislodged front bumpers.
- Unplugged or damaged headlight assemblies.
- Exposed wiring harnesses in the front wheel well.
- **Behavioral Indicators**:
- **Diagnostic Trouble Codes (DTCs)**: Multiple "Communication Failure" or "Timeout" errors logged via vehicle telematics (e.g., Toyota MyT app).
- Unexpected loss of communication with Lighting Control ECU or Front Camera modules.
- CAN bus signal anomalies (high bus load/collisions).
## Associated Threat Actors
- Cyber-criminal syndicates selling "Emergency Start" devices on dark web forums and encrypted messaging apps for prices ranging from €2,500 to €5,000.
## Detection Methods
- **Telematics Monitoring**: Real-time alerts for specific DTCs related to ECU communication loss (Headlight/Lighting ECU) while the vehicle is parked.
- **Intrusion Detection Systems (IDS)**: Automotive IDS that monitor for "message frequency anomalies" (e.g., the 20Hz injection rate) or unexpected source addresses on the CAN bus.
- **Physical Inspection**: Checking for tampering with the wiring harness behind the front bumper or wheel arch.
## Mitigation Strategies
- **Cryptographic Primitives**: Implementing Message Authentication Codes (MACs) for sensitive CAN frames (e.g., SecOC - Secure Onboard Communication) to prevent unauthorized devices from injecting valid-looking data.
- **Zero-Bit Error Validation**: (Brittle fix) Programming the Gateway/Smart Key ECU to reject "Key Valid" frames if they are preceded by or coincide with bit errors/overrides on the bus.
- **Gateway Hardening**: Restricting the "bridging" of messages from external-facing buses (like lighting) to critical powertrain/security buses.
- **Physical Security**: Hardening access to the CAN bus wiring in vulnerable locations (using armored cabling or hidden routing).
## Related Tools/Techniques
- **Relay Attack**: Capturing and retransmitting signals from a legitimate key fob (this tool is the "successor" to relay attacks as key fobs become more secure).
- **OBD-II Port Injection**: Using the diagnostic port to program new keys or bypass security.
- **CANHack**: A research toolkit for injecting faults and frames into the CAN protocol.